Week 48 In Review

Events Related

• OWASP ATL Presentation – intrepidusgroup.com
  I recently gave a presentation at OWASP ATL on the OWASP Mobile Top 10 and how to assess mobile applications. This was a light weight discussion of the OWASP Mobile Top 10 and some topical and technical concerns related to securing mobile applications.
• OWASP Benelux Days 2011 – blog.rootshell.be
  The OWASP Benelux Days is a two-days event organized by three OWASP chapters (Belgium, Netherlands and Luxembourg). The 2010 edition was organized in Eindhoven(NL). This year, it was organized in Luxembourg. After a safe trip, sharing my car with a friend, we arrived at the Luxembourg University.
• BSIMM Community Conference – cigital.com
  Cigital recently hosted a second BSIMM Community Conference near Portland, Oregon. The Conference was outstanding, and was a great opportunity for like-minded software security professionals to compare notes.

Resources

• Netsec’s Q4 2011 Information Security Hiring Thread – reddit.com
  If you have open positions at your company for information security professionals and would like to hire from the/r/netsec user base, please leave a comment detailing any open job listings at your company.
• Restricted Character Set Vulnserver Exploit Tutorial – resources.infosecinstitue.com
  Vulnserver is a Windows server application that deliberately includes a number of exploitable buffer overflow vulnerabilities, and was designed to act as a target application to teach and practice basic fuzzing, debugging and exploitation skills. More information on Vulnserver, including a download link, is available here.
• November 2011 OWASP Newsletter – owasp.blogspot.com
  November OWASp newsletter now available for download.

Tools

• Pipal, Password Analyser – digninja.org
  On most internal pen-tests I do I generally manage to get a password dump from the DC. To do some basic analysis on this I wrote Counter and since I originally released it I’ve made quite a few mods to it to generate extra stats that are useful when doing reports to management.
• Intercepter NG-An Advanced Sniffing Tool! – intercepter.nerf.ru/Intercepter-NG.v09.zip
  Intercepter-NG is a new and improved sniffing tool with many added features. It supports several sniffing modes. For instance, in raw mode, it acts like a pure sniffer with appearance similar to Wireshark, providing enough functionality to perform a quick research of the network traffic. In the eXtreme mode Intercepter-NG will analyze all TCP packets without checking ports.
• USRP For NFC Part 1 – intrepidusgroup.com
  The USRP from Ettus Research is an awesome tool for radio analysis. It’s a really complex tool that is capable of doing almost anything involving radio signals (see these two previous Insight posts by Corey and myself, and Raj). That doesn’t even scratch the surface, though. This post will go into the detailed hardware setup for investigating NFC over the air communication using the USRP.
• Signed TaskManager – blog.didierstevens.com
  This new version 0.1.1 of my TaskManager spreadsheet is exactly the same as version 0.1.0, except that it is digitally signed.
• Android Web Content Resolver – labs.mwrinfosecurity.com
  When assessing Android devices and applications we regularly come across vulnerabilities in Android Content-Providers. These vulnerabilities are often similar to those found in web application security tests. In particular SQL Injection and directory traversal vulnerabilities are common problems in Content-Providers.
• How To Find Android 0Day In No Time – labs.mwrinfosecurity.com
  Today we are releasing WebContentResolver, an Android assessment tool which allows you to find Content-Provider vulnerabilities in no time. A Content-Provider is one of Androids IPC endpoints; it is commonly used to implement data storage in applications and to offer access to this data to other applications on the device.
• The Mole – Automatic SQL Injection SQLi Exploitation Tool – darknet.org.uk
  The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.

Techniques

• DNS Hacking (Beginner to Advanced) – resources.infosecinstitute.com
  DNS is a naming system for computers that converts human readable domain names e.g. (infosecinstitute.com) into computer readable IP-addresses. However some security vulnerabilities exist due to misconfigured DNS nameservers that can lead to information disclosure about the domain.
• POP POP RET: SEH Exploiting Process – marcoramilli.blogspot.com
  This morning I want to talk a little bit about Structured Exception Handling (SEH) exploitation. Some readers, during a Skype meeting early last week, pointed me out that I never wrote about it, se lets talk a little bit about it.
• "Hacking" Printers – PJL Basics – hackonadime.blogspot.com
  A short while later in my career, I got to be known as the AIX “hacker” because I knew more about AIX than even some IBM techs I’d talk to on the phone. That’s why the term “Hacking” in the title has quotes. What we’re going to talk about today is understanding some very basic features that most people have forgotten about and being able to manipulate those features to help us do some bad stuff.
• CSRF with JSON – Leveraging XHR and CORS – sheeraj.blogspot.com
  Same Origin Policy (SOP) dictates cross domain calls and allows establishment of cross domain connections. SOP bypasses allow CSRF attack vector, an attacker can inject a payload on cross domain page that initiate a request without consent or knowledge of the target user.
• Embedding A Link To A Network Share In A Word Doc – carnal0wnage.attackresearch.com
  Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn’t THAT easy… In office 2010 when I’d go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.
• SQL Injection Attack Happening ATM – isc.sans.edu
  Typically it is inserted into several tables.  From the information gathered so far it looks targeted at ASP, IIS and MSSQL backends, but that is just speculation.  If you find that you have been infected please let us know and if you can share packets, logs  please upload them on the contact form.

Vulnerabilities

• 1% of CMS-Powered Sites Expose Their Database Passwords – feross.org
  Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look.
• Researchers Find Big Leaks In Pre-Installed Android Apps – arstechnica.com
  Researchers at North Carolina State University have uncovered a variety of vulnerabilities in the standard configurations of popular Android smartphones from Motorola, HTC, and Samsung, finding that they don’t properly protect privileged permissions from untrusted applications.

Other News

• Trevor Eckhart vs. Android Phones
  The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.
  • Researcher’s Video Shows Secret Software on Millions of Phones Logging Everything – wired.com
  • BUSTED! Secret app on millions of phones logs keys – theregister.co.uk
  • Android handsets secretly logging keystrokes, SMS messages? – news.cnet.com
  • Is Carrier IQ A Big Data Mercenary? – gigaom.com
  • Carrier IQ Admits Holding ‘Treasure Trove’ of Consumer Data, But No Keystrokes – wired.com
  • Carrier IQ Is tracking Your iPhone Too, But It’s Easy To Turn Off – lifehacker.com
  • Carrier IQ Tracking iPhone Customers Too, Researchers Say – news.cnet.com
  • Carrier IQ: How Big A Threat Is It? – news.cnet.com
• Exclusive: Millions of Printers Open To Devastating Attack, Researchers Say – redtape.msnbc.nbc.com
  Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for criminals, making it easy to commit identity theft or even take control of entire networks that would otherwise be secure?
• Staff To Be Banned From Sending Emails – telegraph.co.uk
  Thierry Breton, CEO of Atos and a former French finance minister, wants a "zero email" policy to be in place within as early as 18 months, arguing that only 10 per cent of the 200 electronic messages his employees receive per day on average turn out to be useful. Instead he wants them to use an instant messaging and a Facebook-style interface.
• Targeted Attack Steals Credit Cards From Hospitality And Educational Institutions – nakedsecurity.sophos.com
  A little more than a week ago SophosLabs became aware of a resurgence of an attack against the education and hospitality industries. In at least one case the malware has shown up at a financial services company.
• Researchers Say oracle Leaves Databases Needlessly Vulnerable – darkreading.com
  Is Oracle just paying lip service to database security? Some researchers within the database community think so, complaining that as the software juggernaut has grown with acquisitions such as the blockbuster Sun deal it hasn’t maintained enough resources to securely develop database products and resolve vulnerabilities disclosed by researchers in a timely fashion.
• Java Is The Largest Malware Target According To Microsoft – h-online.com
  In a posting on the Microsoft Security Blog, Tim Rains, a director of Microsoft’s Trustworthy Computing Group, has written of the huge number of Java exploits being found in the wild. In the second half of 2010 and first half of 2011, between a half and a third of all exploits observed by Microsoft’s Malicious Software Removal Tool attacked vulnerabilities in Java.
• The Mystery of Duqu: Part Six (The Command and Control Servers) – securelist.com
  Over the past few weeks, we have been busy researching the Command and Control infrastructure used by Duqu. It is now a well-known fact that the original Duqu samples were using a C&C server in India, located at an ISP called Webwerks. Since then, another Duqu C&C server has been discovered which was hosted on a server at Combell Group Nv, in Belgium.
• Public Java Exploit Amps Up Threat Level – krebsonsecurity.com
  I disclosed how the Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike.
• UK "Cyber Strategy" : Stuxnet, censorship, and cyber specials – arstechnica.com
  On Friday, the UK government released its "Cyber Security Strategy," acknowledging the importance of the Internet to modern life, but also the risks it poses from criminals, terrorists, and nation states. Over the next four years, and at a cost of £650 million ($1 billion), the National Cyber Security Programme (NCSP) has four objectives: "tackle cyber crime," make the UK more resilient to "cyber attacks," create an open and stable "cyberspace," and ensure that the UK has the skills and knowledge to provide all "cyber security" needs.
• EFF Asks US Copyright Office To Exempt Jailbreaking From DMCA – nakedsecurity.sophos.com
  Currently under the Digital Millennium Copyright Act (DMCA) in the United States it is illegal to circumvent Digital Rights Management (DRM) technology in a device.
• Research Team Finds Disk Encryption Foils Law Enforcement – physorg.com
  A joint U.S./UK research team has found that common encryption techniques are so good that law enforcement, from local to highly resourceful federal agencies, are unable to get at data on a computer hard disk that could be used to prove the guilt of people using the computer to perpetuate crimes.